Pages

special

Tuesday, July 3, 2012

Facebook tracks you even after you've logged out

Hacker Nik Cubrilovic is reporting on his blog that Facebook can still track the websites you visit even after you have logged out of the social networking site.

Cubrilovic conducted a series of tests, which showed that Facebook only modifies the tracking cookies instead of deleting them once you log out. It appears that your account information is still contained within the cookies so that whenever you visit a website that features a Facebook share button or widget, your browser sends information back to Facebook.

Cubrilovic told VentureBeat: "They definitely have the information stored. As to what they do with it, you can only speculate."

An engineer who works on login systems at Facebook called Gregg Stefancik commented on his post: "Our cookies aren't used for tracking. They just aren't. Instead, we use our cookies to either provide custom content (e.g. your friend's likes within a social plugin), help improve or maintain our service (e.g. measuring click-through rates to help optimise performance), or protect our users and our service (e.g. defending denial of service attacks or requiring a second authentication factor for a login from a suspicious location)."

He said that the data from the logged-out cookies are used to prevent security risks by: "identifying and disabling spammers and phishers; disabling registration if an underage user tries to re-register with a different birth date; helping people recover hacked accounts and identifying shared computers to discourage the use of 'keep me logged in'."

Cubrilovic came to his conclusion after analysing HTTP headers sent by browsers to Facebook.com -- something that anyone can do provided they have a browser with development tools.

In order to prevent Facebook from being able to track you, you need to delete all Facebook-related cookies once you've logged out. According to Hacker News, you can also use AdBlock Plus.

Cubrilovic says he first noticed this issue in November 2010 and emailed Facebook to see if it would respond, but that so far it hasn't. He calls for Facebook to "address privacy issues and to give their users the tools required to manage their privacy and to implement clear policies -- not pages and pages of confusing legal documentation, and 'logout' not really meaning 'logout'."